Thursday, 4 October 2018

This week’s CJEU judgment
in Case C-207/16 Ministerio Fiscal is
part of the jurisprudence on the ePrivacy
Directive, specifically Article 15 which broadly allows Member States to
permit intrusions into the confidentiality of communications for certain
specified reasons. Article 15 is part of
the legal framework for the mass retention of communications data from Digital Rights
Ireland(Case C-293/12 and
594/12), EU:C:2014:238) (“DRI”) on and in which the Court has affirmed that retention
schemes could be justified only in the case of “serious crime” (Tele2/Watson
(Joined Cases C-203/15 and C-698/15), ECLI:EU:C:2016:970). This left the question of what “serious
crime” might be, and whether there would be EU law standards circumscribing the
scope of this term. It is this question that the reference here seeks to
address, though it should be noted that the facts in issue were very different
from those in the earlier cases.

Facts

The reference arose in the
context of a police investigation relating to the theft of a wallet and a
mobile phone. The police wished to
identify the new phone number associated with the stolen phone, as well as the
details of persons associated with that new number. However, Spanish law required that – to
access such information – the police must be investigating a serious crime and
the domestic courts here found that the facts giving rise to the investigation
did not constitute a serious crime according to Spanish law. The reference to
“serious crime” can be found in the Court’s case law in DRI, which –
considering the right to private life and to data protection in Article 7 and 8
of the EU Charter of Fundamental Rights, set that as a minimum threshold for
the retention of communications data en masse by telecommunications operators.

The national court referred a
question on the meaning of Article 15(1) of the ePrivacy Directive (Directive
2002/58/EC, as amended) in the light of this jurisprudence. Article 15 allows Member States to restrict
some of the rights granted by the ePrivacy Directive in the interests of, inter
alia, the prevention, investigation, detection and prosecution of criminal
offences. The national court asked
whether the use of length of sentence available for a crime can be used to
determine whether ‘it is also necessary to identify in the criminal conduct
particular levels of harm to individual and/or legally protected
interests’? If length of sentence period
alone suffices, is there a minimum in order to comply with the requirements of DRI?

Judgment

The first issue before the Court
was that of its jurisdiction to hear the question. Both the Spanish and UK
governments argued that the Court did not have jurisdiction because criminal
law is excluded from the scope of the Data Protection Directive (Art 3(2)) and
the ePrivacy Directive (Art 1(3)). The
Court referred, however, to its previous judgments in this field, to hold that
legislative measures derogating from the rights in the ePrivacy Directive based
on Article 15 still come within its scope even if the measures pursue
objectives which overlap substantially with the fields excluded from the
ePrivacy Directive by Article 1(3). [para 34]
It concluded, relying on Tele
2/Watson, that the scope of the ePrivacy Directive:

extends not
only to a legislative measure that requires providers of electronic
communications services to retain traffic and location data, but also to a
legislative measure relating to the access of the national authorities to the
data retained by those providers [para 35].

The Court also dismissed other
submissions on admissibility made by the Spanish government, re-iterating its
long-standing position that ‘where the questions put by national courts concern
the interpretation of a provision of EU law, the Court is, in principle, bound
to give a ruling’ [para 45].

The Court considered the two
questions referred by the Spanish court together. The Court specified that the
question in issue did not relate to the compliance of the communications
service providers with the law but ‘whether, and to what extent, the objective
pursued by the legislation .. is capable of justifying the access of the public
authorities, such as the police, to the data…’ [para 49]. The Court reiterated
the approach taken by its Advocate-General to hold that there would be an
interference through such access, even if such interference was not serious,
nor the data accessed sensitive.

The Court noted that the list of
objectives for the purpose of Article 15 ePrivacy Directive is exhaustive and
that the authorities’ need for access must genuinely correspond to one of those
objectives. Article 15 does not, however,
limit access to the fight against serious crime – it refers to criminal
offences generally. The reference to “serious” comes from the Court’s case law
where it was dealing with situations involving a serious interference with the
right to private life.

By contract,
when the interference that such access entails is not serious, that access is
capable of being justified by the objective of preventing, investigating,
detecting and prosecuting ‘criminal offences’ generally [para 57].

The Court then redefined the
object of its considerations to the question of whether the interference in
this case was ‘serious’. Since the data
sought related only to a short period of time and could not be cross referenced
with other data, precise conclusions regarding the private lives of the persons
in issue could not be drawn. Therefore there was not a serious interference
with the individuals’ right to private life.

Comment

This judgment could be described
as tactical. The Court has re-iterated
that it does have jurisdiction in these areas covered by Article 15. Although
earlier jurisprudence on the ePrivacy Directive distinguished between the
commercial operators’ obligation to retain data (falling within the internal
market) and access by the police to those data, the Court did not limit its
power of review in Tele2/Watson along
those lines, and it followed that Tele2/Watson
approach here. Access to the data by
state authorities requires processing by the telecommunications operators (see
para 37).

At the same time the Court
stepped away from the difficult question, through its reformulation of what the
referring court asked. In so doing, it
avoided the issue not just of what “serious crime” is, but that of whether
“serious crime” is an autonomous EU concept.
In this the Court followed its Advocate General (Opinion
3 May 2018, ECLI:EU:C:2018:300) who went as far as to argue that “criminal law”
should not be an autonomous concept of EU law.
While it avoided this question, and indirectly answered the question as
to whether access to communications data for anything less than serious crime
is permissible under EU law, it has not helped the Spanish court which is faced
with a national law that specifically refers to a threshold of seriousness.
Moreover, in emphasising its proportionality argument to suggest that the
access for less serious crimes could be permissible, there is a danger that
this may be read as saying that national laws should so allow access – an
interpretation which would oversteps the bounds of its competence just as much
as defining “serious crime” would.

The judgment re-iterates that
Articles 7 and 8 of the Charter are engaged whether or not the interference is
deemed serious or not; equally, the ruling recognises that there may be
different levels of intrusion that need greater or lesser justifications. Here the data sought was limited in type, and
related to a limited period of time. The question of what is intrusive,
especially in the context of the use of predictive analytics, has not yet been
fully answered.

The Court’s emphasis on its
previous caselaw, notably Tele2/Watson
as well as DRI, may be seen as trying
to build a consistent approach within this case law and also reaffirming the
principles laid down in those cases.
This judgment can then be seen as a re-affirmation of the approach in Tele2/Watson, which might be significant
in the light of pending references seeking to ask the court to resile from its
position there, notably the questions referred by the IPT in the Privacy International litigation (Case
C-623/17, pending) regarding the scope of exclusive Member State competence
as regards national security.

One final point is about the
implications of the Court’s ruling on recent English caselaw – the Court of
Appeal in Watson
([2018] EWCA Civ 70) and the Divisional Court in Liberty
([2018] EWHC 975 (Admin)). In Liberty, the Government argued,
successfully, that a category of communications data in the Investigatory
Powers Act, “entity data”, did not fall within the ePrivacy Directive and
therefore the ruling in Tele2/Watson
as it was neither "traffic data" or "location data" within
Article 2. The Court declared the matter
acte clair and refused to make a
reference to the Court of Justice (Liberty, paras 154-55). Yet, the very data that the Spanish
authorities were seeking in the case before the Court of Justice were those
that would identify the users of a phone, not the details of those users’
communications. The Spanish Government put forward a similar argument, but the
Court declared this to be “irrelevant” [para 40]. Expressly following its
Advocate General, the Court held that the ePrivacy Directive “governs all
processing of personal data in connection with the provision of electronic
communications services” [para 41]. This
holding throws some doubt on the Divisional court’s view both as to the scope
of the ePrivacy Directive and certainly the fact that the interpretation of the
directive is acte clair.